From 4c80d233255c258f1788f73c1a76b2659217139d Mon Sep 17 00:00:00 2001
From: kink <kink@7612ce4b-ef26-0410-bec9-ea0150e637f0>
Date: Tue, 14 Jun 2005 10:22:22 +0000
Subject: [PATCH] Disable access to the administrator plugin when plugin is
 disabled in config. Stable team/Jon: can I commit this into stable aswell?

git-svn-id: https://svn.code.sf.net/p/squirrelmail/code/trunk/squirrelmail@9603 7612ce4b-ef26-0410-bec9-ea0150e637f0
---
 ChangeLog                      | 2 ++
 plugins/administrator/auth.php | 9 +++++++--
 2 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index aa749be2..7aa04759 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -364,6 +364,8 @@ Version 1.5.1 -- CVS
     Thanks to Roalt Zijlstra.
   - Identity code was not checking for domain part in username before setting
     email address (Bug #1219184).
+  - Disallow access to the administrator plugin screens when the plugin is
+    not enabled in the config.
 
 
 Version 1.5.0 - 2 February 2004
diff --git a/plugins/administrator/auth.php b/plugins/administrator/auth.php
index 472beaf8..0ba71947 100644
--- a/plugins/administrator/auth.php
+++ b/plugins/administrator/auth.php
@@ -19,9 +19,14 @@
  * @return boolean
  */
 function adm_check_user() {
-    global $PHP_SELF;
+    global $PHP_SELF, $plugins;
     require_once(SM_PATH . 'functions/global.php');
 
+    /* fail if the plugin is not enabled */
+    if ( !in_array('administrator', $plugins) ) {
+        return FALSE;
+    }
+
     if ( !sqgetGlobalVar('username',$username,SQ_SESSION) ) {
         $username = '';
     }
@@ -58,4 +63,4 @@ function adm_check_user() {
 function adm_array_trim(&$value,$key) {
     $value=trim($value);
 }
-?>
\ No newline at end of file
+?>
-- 
2.25.1